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Abstract — In this paper, we propose a new security 
protocol which is styled hierarchical access control-based 
proxy signature (HACBPS). In hierarchical access 
control, upper security level users can access some secret 
information hold by lower security level users, but reverse 
is not allowed. Whereas in proxy signature, on behalf of 
the original signer, proxy signer can generate the 
signature on an arbitrary message. In our protocol, an 
upper security level user (considered as original signer) 
can delegate his signing right for signature generation on 
an arbitrary message to a lower security level user 
(considered as proxy signer) and the proxy signer can 
generate proxy signature on behalf of the original signer. 
In HACBPS, each user in a hierarchy holds two secret 
keys: one key can be accessed by upper security level 
users and other one is not accessible to any other user. 

Index Terms — cryptography, security, access control, 
proxy signature, Poset 

I. Introduction 

'In an access control of a hierarchical structure, a user 
has access some secrets to another if and only if the 
former is superior of the later. The access control for a 
hierarchy can be represented by a partially ordered set 
(Poset). A hierarchy is constructed by dividing users 
into number disjointed users, say 

U X ,U 2 ,U 3 , .. .,U n which are partially ordered 
with a binary relation <= • In a hierarchy, 

Ui—Uj means that the security level of ^ i is 
lower than that of. In other words, "_/ can access 
some secret information held by user U f j while the 
opposite is not allowed. Figure 1 shows a three level 
hierarchical structure. The top level user (that is, U \ ) 
poses the highest security and security decreases with 
increase in level. Hence, users (that is, U 4 , U 5 , U 6 ) 
in bottom level have least security. In 1983, AM and 
Taylor first propose hierarchical access-based key 
assignment scheme [1]. In 1998, Sandhu proposed a 
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tree structural access control scheme [7]. Wu-Wei 
proposed a scheme [2] which satisfies the indirect 
access control mechanism. Ham-Lin proposed a 
scheme [3] which satisfies the direct access control 
mechanism and is based on the RSA cryptosystem. Giri 
and Srivastava proposed two schemes: one is access 
control in tree structural hierarchy [8] and other is 
poset ordered hierarchy [9] in 2007 and 2008 
respectively. Sheng Zhong proposed a scheme [4] 
which satisfies the indirect access control mechanism. 
The direct access control schemes achieve smaller 
storage spaces for storing public information and better 
dynamics. The access control is motivated by the 
scenario. A CEO (Chief Executive Officer) of a 
company can access to some important documents of 
his General Manager. But General Manager cannot be 
permitted to access the CEO's documents. In the same 
manner, General Manager can access the documents of 
his/her lower level employees, but opposite is strictly 
prohibited. Whereas, in a proxy signature, proxy 
signature generation is allowed by a designated person, 
called a proxy signer, to sign an arbitrary message on 
behalf of an original signer. An original signer delegates 
his/her signing capability to a proxy signer (by issuing a 
proxy key) and then proxy signer signs a message on 
behalf of the original signer using the proxy key. A 
verifier can check the validity of that signature and also 
know the signature which is signed by the proxy signer 
rather than that by the original signer. More precisely, 
the original signer sends a specific message with its 
signature to the proxy signer who then uses this 
information to construct a proxy signing key. Using the 
proxy signing key, the proxy signer can generate proxy 
signatures. From a proxy signature, anyone can verify 
both the original signer's delegation and the proxy 
signer's digital signature. The concept of the proxy 
signature introduces first by Mambo et al. [5, 6]. After 
that many authors propose many schemes on proxy 
signatures. In 2008, Giri and Srivastava proposed a 
proxy signature scheme [10] after removing te 
weaknesses of Das el al.'s proxy signature scheme 
[11]. The real life example of proxy signature is as 
follows: Let CEO of a company wants to ask his 
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General Manager to sign some important documents on 
his behalf. In this paper, we propose a new security 
protocol which is combination of hierarchical access 
control and proxy signature is called access control 
based proxy signature. But if we simply 2 combine two 
existing schemes (one is hierarchical access control and 
other proxy signature) without any change (or new 
design) then the combined scheme can not be no longer 
secure, because of fact that secrete key of the lower 
level security users must be derived (or accessed) by 
their upper level security users. And so for the proxy 
signature scheme, if we use the secrete key for the 
proxy signature generation then the upper level security 
user can generate the proxy signature because he/she 
also able to derive (or access) the secrete keys' of its 
lower level security users. Therefore, the scheme is not 
proxy protected. But proposed scheme solves that 
weakness. In our proposed scheme, each user in a 
hierarchy holds two secret keys: one key can be 
accessed by upper security level users and other one is 
not accessible to any other user. 

The remainder of this paper is organized as 
follows. In Section II, we introduce our proposed 
HACBPS scheme. In Section III, we analyze the 
security of our proposed scheme. Section IV shows the 
time complexity required for our scheme. Finally, 
Section V concludes the paper. 
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Figure 1 : An Example of a Hierarchical Structure 

II. Proposed HACBPS Scheme 

The HACBPS is the combination of two schemes: 
first, hierarchical access control scheme; second, a 
proxy signature scheme. There exists a trusted CA 
(central authority) in the system that can generate and 
assign keys for each user in a hierarchy. The scheme 
consists of eight phases namely, setup, Key assignment 
by CA, Key derivation by an upper level user, Key 
generation by a user, Proxy key generation, Proxy key 
verification, Proxy signature generation, Proxy 
signature verification. 

A. Setup 

Let H\) be a cryptographic one-way hash 
function and g a generator of Z p (where is a large 
prime of length at least 1024-bit for security 
consideration). 



B. Key assignment by CA 
Suppose there exists n 



users in a hierarchy, say 



U l , U 2 , ■ ■ ■ , U n . The CA can assign keys for each 
user in a hierarchy is as follows. 

1 . CA first choose the root node, that is U i (in 
the rest of the paper, we consider "node" 
means a user in a hierarchy) and chooses an 



arbitrary key x \ 

u, =g x 'mo& p. 



CA 



computes 



2. Next, CA chooses a node using the technique 
of breadth first traversal (BFT) of the 

hierarchical structure. Let U ,- be the node 
chosen by the CA according to BFT. 
3. If node U j is only one direct parent node of 

' , the secret key of J is '' where 

x=H{x,ID.) 

i \ j' i> , 

(1) where -"-*,■ is the identity of the user 
U,. 



4. If the node U j has more than one direct 
parent nodes, say U jj,U . 2 ,U - 3 
where keys of U jj,U j 2 ,U j 3 , ...,U j t 



■ U P 



x jl ,x J2 ,x J3 ,...,x jt 



respectively, then CA first 
chooses the secret key x / for the user U , . CA 
then generates the Newton's interpolating 
polynomial [12] over modulo P containing the 

points {H(ID J \\x ji ), Xjg*" mod p) for 
1=1,2,...,* . We denote this polynomial as 
P j\ x ) . CA publishes the P j\ x ) in a public 

directory. 

_ . w,.=e*'mod p. 

5. CA computes ' & ^ 

6. Go to step 2 until all users arc not taken consideration in the hierarchy. 

u,=g Xi mod p U, 

x 



Note: CA publishes each 



corresponding to the user 



to the user 



(for 



and sends the secret key 
i=l,2,....) in secure manner. 

Example. CA assigns the secret keys for the users 
corresponding to Figure 1 shown below. CA assigns 

CA then computes 
for the 



user U x 



x i for the 
x 2 =H (ID 2 \\x x 

users U 2 , U 3 respectively. CA also computes 



x 3 =H(ID 3 \\x 1 



--H{ID 4 \\x 2 ) 



x. 



--H{ID 6 \\x,) 



for the 



users U 4 ,U 6 respectively. Finally, CA constructs a 
Newton's interpolating polynomial containing the 
H (ID 5 \\x 7 ), x 5 g Xl mod p) 

x 5 g x ' mod p ) after choosing 
the secret key x 5 for the user ^5 . 



and {H{ID 5 \\x 3 
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C. Key derivation by an upper level user 

Suppose Uj — Uj with a chain 

U t <U ki <---<U k U k Uj . Let Cj want to 
compute the secret key x t of the user U i _ U- first 
computes the secret key x % of the user U^ using 
(1), if U j is the immediate parent of U k ; 
otherwise if there are many immediate parents of 



U, 



then 



U, 



h{ID,\\ 



j computes hashed value of 
' £, 1 1 •* / ) and put the hashed value as x - 
coordinate in the polynomial *k\ x ) . Hence, Uj 
can get X k g 'mod p and then using his secret key 
x j, Uj recover the secret key x y_ of the user 
U k .In the similar fashion, using the secret key x \ 
(which is computed earlier), U j computes the secret 
key x k of the uses U \ i and so on until computes 
the secret key x t of the user U i . 

D. Key generation by a user 

Each user U j randomly chooses as other secret 

key and computes the corresponding public key. U j 

keeps y j as a secret key and publishes v ,- as public 
parameter. 

E. Proxy key generation 

Let U j be an original signer and U { a proxy 



signer. U ■ chooses a random number 

k 



k(\<k<p—\) and computes K=g mod p ■ He 
also computes a=x J +kx i +Ky j m w modp-l, 

(2) 

where m w is a warrant message which consists of the 
identities of the original as well as proxy signer, 
expiration date. The original signer U ■ delivers the 

proxy key \ ' w * j to the proxy signer ' over a 
public channel. 

F. Proxy key verification 

The proxy signer checks the condition whether 

a Km „x. , 

g =u,Vj K mod p 

(3) 

is true . If the condition is true, the proxy signer 
accepts it as a valid proxy; otherwise it is rejected. 



G. Proxy signature generation 



U. 



The proxy signer ' first chooses 

z ( 1 <z<p— 1 ) and then computes w=g z mod p 

and^* = ^ 'mod p i men computes 



a'=a+y.H{m,m ,v.,v .,L.,w)+zmod p — l . (4) 

■ / /\ Will) 1 \ / 

He then sends the proxy signature 



m,m w ,w,a',L i ,K> 



over a public channel to a 



verifier. 

Note: m w is a warrant message and w is public 

information. 



H. Proxy signature verification 



After receiving 



m,m MI ,w,o\L j ,K> 



the 



verifier checks whether the condition 

T , Him.m ,v ,v ,L ,w\ 
a Am,, " i > i t j (S\ 

g -Uj v j v i J L ( w mod p \?) 

holds or not. If it holds good, the verifier accepts it as a 
valid proxy signature; otherwise it is rejected. 



III. Security Analysis 

In this section, we describe the security analysis of the 
proposed scheme. 

A. Security for the access control 

In our scheme, the key assignment and key 
derivation by upper level users in a hierarchy are 
obtained by a cryptographic one-way hash function. If 

a user ' has only one direct parent node J then 

the key of ' will be ' ' J ' ' ' , where i 

is the secret key of U ■ m Therefore it is difficult for 

U. x 

the user ' to derive the key i of its parent node 

Uj from Hlx j,IDA , because of the fact that it 



is 
computationally infeasible to invert H {) . 

Analogously even a user ' has many immediate 
parents nodes, it is also difficult to compute the secret 
key of any immediate parent node due to the infeasible 
to invert of a cryptographic one-way hash function. 

B. Security analysis for proxy signature 

There are six main security properties to be needed for 
proxy signature such as unforgeability; secret-key's 
dependency, verifiability, distinguishability, 

identifiability and unreliability. 

In our proposed scheme, each user ' has a pair of 

secret keys, ' '^' where J (with l ~ > ) can 

x x U. 

derive ' using his/her secret key J . But ' 

cannot compute the secret key y% from v , due to 

discrete logarithm problem (DLP). Further, ' 

x v ■ 

cannot compute J or i of the upper level security 



user 



U 
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i) Unforgeability 

Suppose an original signer is an adversary A. Now 
let us check whether A can forge a proxy signature on 
an arbitrary message, say w . 

Suppose A chooses m > m W >L ,> w >K an d try 
to find & " such that 

,,, . H[m\m' ,v ,v ,L' ,w\ 
o Am „, ' " i I i It i i J (f,\ 

g = UjVj v i J Ljwmoap W 

holds. Now A knows all values of the parameters of 
right hand side (RHS) of (6). Therefore, A can compute 
RHS of the equation (6). To compute o " such that 
a ,m ,m W ,L t ,w ,K satisfies the condition in 
(6), A has to solve the DLP (discrete logarithm 
problem) which is computationally infeasible. Hence, 
after choosing m',m' w ,L' i ,w',K' [ t [ s 

a 
computationally infeasible to compute l\\ such that 

III 

condition in (6) holds good. Analogously, after 

choosing any five of 

sizelOa,m',m' size8w ,L' sjze4i ,w ,K' ; it is a i so hard 

to compute the value of the rest such that the condition 
in (6) holds. 

it) Secret-Key 's dependence 

In our protocol, original signer derives 
a=x. +kx t +Ky jf n w mod p- 1 a nd proxy 

signerderives 

a'= a+y t H \m,m w ,v i ,v ■,L i ,w\ +zmod p— 1 

From the above equations, it is clear that o' is 
computed using a >yj with some other public 

information, c is derived from x j>yj> x i where 
( x j >y j ) is the secrete key pair of the original signer 
and x i is one of the secrete key of the proxy signer. 
So, original signer using his private key can generate a 
proxy key. It implies that proxy signature key is 
computed from the secrete key of the original signer. 
So proxy signature key is secret-key dependent. 

Hi) Verifiability 

From HACBPS scheme, it is clear that proxy signer 
checks the condition g c *=u f v . '"" K*' L . w mod p , 

where u / > v j are the public information corresponding 
to U, a nd K,m w a re the public information. So by 
these public key, public information and cr , only 
proxy signer can verify the condition. On the other 
hands, one can verify the verification condition in (5). 
Hence the proposed scheme is verifiable. 

iv) Distinguisablity 

In the verification of the proxy signature the 
condition, 



g =U jVj V 



H\m,m ,v ,v ,L ,w\ 
" ' J 



L;W mod p 1S 

necessary, where a ' is generated by the proxy signer 
using the equation 

a—(T+y j H(m,m w ,v i ,v f ,L i ,w) +zmod p— 1 

(where a is computed by the original signer using the 

equation a=x j -r-kx i +Ky j m w mod p-\ ), Hence 

anyone can verify the proxy signature after receiving 

m,m ,w,o\ L jt K> 

. That is to say that a verifier 

can distinguish a proxy signature rather than the 
signature generated by the original signer. 

v) Identifiability 

The verifier can determine the relationship of 
delegation between an original signer and a proxy 
signer, because in the verification condition of the 
proxy signature needs the warrant message m w which 
consists of the identity of the original signer as well as 
proxy signer with expiration date. Hence the verifier 
can determine that the signature is generated by a 
proxy signer on behalf of original signer. 

vi) Undeniability 

In our proxy signature phase, tr' is computed as 
a'=a+y ,. H im,m^ ,v . ,v : ,L . ,w\ +zmod p— 1 

•s l ['Willi 1 ' 

where y ',• is one of the private keys and z a session 
secret generated by the proxy signer or a lower level 
user. Involvement of the private key of a proxy signer 
implies that the proxy signer cannot deny that he has 
not sign the message. Hence the scheme is undeniable. 

IV. Computational Cost 

Following are the computation cost needed for the 
different operation in our scheme. 

^exp : Time taken for a modular exponentiation 

operation. 
hi '■ Time taken for a hashing operation. 
tmul '■ Time taken for modular multiplication of two 

numbers. 
1 add '■ Time taken for modular addition of two 
numbers. 

• Computational cost for proxy key 
generation: ? C x P +3t m «/ +2t arfrf 

• Computational cost for proxy key 
verification: 2t cxp +3t mu/ 

• Computational cost for proxy signature 
generation: 2t cxp +t h +t mul +2t add 

• Computational cost for proxy signature 
verification: 3t exp +t h + 5\. mul 
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V. Conclusion 

In this paper, we have proposed a new security 
protocol which is called hierarchical access control- 
based proxy signature. The concept behind the scheme 
is that anybody in a hierarchy should have two different 
private keys, where one key can be derived by an upper 
level user, using key derivation, but other key is only 
known by the user. The upper level user, after deriving 
one secrete key from his/her lower level, cannot 
generate the valid proxy signature because of the fact 
that other secret key is unknown to the user. We have 
already discussed the security analysis as well as 
computational cost of the proposed scheme. 
Furthermore in our scheme, we can easily adopt 
dynamicity, that is, some users can be added (or 
deleted) in (from) a hierarchy. 
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